Jenkins: SAML, Okta, user groups and Role-Based Security plugin

Still on the subject of the Okta and SSO for Jenkins – let’s configure a Role-Based Security plugin for our Jenkins. See the first part in the Jenkins: SAML Authentication with Okta SSO and users groups post.

The general idea is to have user groups defined in the Okta, and Okta has to pass a user’s group when he will log in to the Jenkins.

Then Jenkins has to assign correct permissions for this user based on its group(s).

Contents

The Role-Based Security plugin configuration

Install the Role-based Authorization Strategy plugin itself:

Go to the Configure Global Security, switch the button to the Role-Based Strategy:

Go to the Manage and Assign Roles:

Create roles – global roles

Roles here are divided into three areas:

global roles: obviously, global roles for global permissions, such as create/delete Views, Jobs, Overall
project roles: the permission settings on a per-project basis – jobs are limited by a regular expression
agent roles: Jenkins slaves/workers/agent permissions

If you’ll try to log in right now – will face with the “missing the Overall/Read permission” error:

To avoid it – need to create a global role with the Overall Read permissions.

Go to the Manage Roles:

Create a new global role called read_all and set permissions to the Overall – Read:

Save.

Assign Roles

For example, let’s take a Test user:

It has two groups assigned – the Everyone and the DevOps.

Go to the Assign Roles, add the Everyone group and assign the read_all to it:

Save and log in under this user:

Okay – you are able to log in, but can’t see any jobs right now.

Project roles

Next, need to create roles to grant access to various jobs/views.

For example, we have an Android view with jobs for our Android-developers:

Go to the Manage Roles, add an android_developer role and in the Pattern set the (?i)android_.* value – here, with the (?i) we set to case-insensitive search and with the android_.* – will select all Android jobs: